Rules of Behavior

Cloud Account Usage

  • The AWS at Emory service is the only cloud infrastructure as a service solution approved for storing or processing Confidential or Restricted Emory data as defined in Emory’s Disk Encryption Policy.
  • The use of personal AWS accounts or other cloud infrastructure as a service solutions (e.g. Microsoft Azure, Google Cloud, etc.) for storing or processing Confidential or Restricted Emory data is prohibited without explicit prior approval by OIT Enterprise Security. 

Account Governance

  • An active and valid 10-digit Emory SpeedType must be supplied and maintained by the account owner throughout the lifecycle of each account. The account owner must be an authorized user of the SpeedType, and the SpeedType must have sufficient funds to cover all costs associated with the account.
  • Usage of the AWS at Emory service offering by account owners and/or any other individual granted access to the AWS at Emory service (e.g. account administrators) is contingent upon the acceptance of these AWS at Emory Service Rules of Behavior, any Emory policies governing the usage of the AWS at Emory service offering, and any future versions of these requirements. Utilization of the AWS at Emory service constitutes your consent to these provisions.
  • Each AWS at Emory account owner is responsible for all activity that takes place within each of their accounts. This provision applies regardless of whether the activity within the account was initiated by the account owner, other individuals authorized by the account owner or account administrators, or even unauthorized users who may gain access to the account for illicit purposes (e.g. cryptocurrency mining).  This provision explicitly assigns financial responsibility and accountability to the account owner for any and all charges originating within the account, regardless of their origin or nature. 

Service Accounts

  • AWS at Emory Service Accounts must be used exclusively as service accounts and solely for the specific stated purpose for which they were originally provisioned. 

Special considerations for ePHI, IHI, and other Confidential or Restricted information

  • Within the AWS at Emory service, the storage and processing of electronic Protected Health Information (ePHI) and Identifiable Health Information (IHI), as defined within Emory’s Privacy Policy Manual, is restricted to AWS at Emory accounts that have been designated as “HIPAA Accounts”. This is a designation that is chosen at account creation time, and it is the responsibility of each account owner and account administrator to ensure that the storage and processing of ePHI and IIHI within the AWS at Emory service is restricted solely to accounts with this “HIPAA Account” designation.  Failure to do so is a direct violation of the HIPAA Security Rule.
  • All ePHI and IHI data must be encrypted during transit (e.g. while traveling over a network from one ec2 instance to another, even within the same VPC) and at rest (e.g. while being stored in a service like S3 or Elastic Block Store).
  • All account holders within an AWS at Emory “HIPAA Account” including the account owner and administrators must understand and comply with any AWS service specific requirements necessary to maintain HIPAA compliance within their HIPAA Account. AWS provides guidance on this topic in their publication “Architecting for HIPAA Security and Compliance on Amazon Web Services” (see references for link).
  • ePHI and IHI must never be stored or processed by any AWS services that have not been specifically identified by AWS as HIPAA eligible services even if the service itself is available within an AWS at Emory “HIPAA Account”.
  • ePHI, IHI, or other Confidential or Restricted information must never be used in AWS Tags or other metadata fields associated with AWS services or objects as it is not feasible to maintain the confidentiality of this information.
  • AWS at Emory accounts must not be utilized to store or process data subject to the Payment Card Industry Data Security Standard (PCI DSS) or the Federal Information Security Management Act (FISMA) without explicit prior approval by OIT Enterprise Security. 
  • When using the AWS at Emory service, all users must adhere to all appropriate Emory policies (http://policies.emory.edu/). Of particular note are those users working with sensitive data, such as those data under HIPAA or other regulations that require specific security or administrative requirements. In addition, these policy requirements apply to all devices (e.g., smartphone, tablets, laptops, workstations) that are being used for the transmission, storage, or use of data in this environment.

Account Maintenance

  • OIT maintains the authority and reserves the right to make modifications to client accounts as required in order to maintain the health and security of the AWS at Emory Service. These modifications may include among other things:
    • Restrictions to the AWS services or sub-components of an AWS Service available within an account
    • Restrictions associated with various Identity and Access Management (IAM) roles within an account
    • Addition of AWS services, resources, or user accounts within an account for monitoring, security, or administrative purposes
    • Modifications necessary to facilitate vulnerability scanning
    • Restricting, disabling, or backing out potentially dangerous configurations
    • Quarantining, disabling, or shutting down infrastructure (e.g. ec2 instances, S3 buckets, etc.) to address critical or immediate threats
  • An acceptable periodic monthly (or more frequent) downtime window must be defined for each account during which potentially disruptive maintenance (such as patching) can be performed by the account owner or account administrators. 

AWS Shared Responsibility Model

  • All account owners and administrators must understand the AWS Shared Responsibility Model (see references) as AWS at Emory account holders are responsible for implementing and managing both shared (e.g. patching of operating systems and applications, configuration management, training, etc.) and customer specific controls (e.g. data encryption, service protection, network zone security, etc.) within the AWS at Emory service.
  • AWS at Emory account owners and administrators must follow all AWS at Emory service specific guidelines as documented in the Security Assessment Report available on the Services tab of the AWS at Emory VPCP Console application.

Security Controls

  • Users of the AWS at Emory service must not attempt to hack, disable, bypass, or interfere with security controls, restrictions, or monitoring mechanisms implemented within the service.
  • AWS at Emory service account owners and administrators are required to remediate risks identified within their AWS at Emory accounts in a timely manner

Sanctions

  • Failure to comply with these requirements may have legal consequences and may result in:
    • Suspension or termination of access;
    • Disciplinary actions (up to and including termination of employment) in accordance with applicable university policy.

References

V8, updated on 11/18/2019